Submission Details
Severity:
The TimelockController Does Not Enforce The EMERGENCY_DELAY
Summary
The constant EMERGENCY_DELAYin the TimelockControlleris not used. It should enforce a delay of 1 day for any emergency actions so users may take the steps needed to protect their assets.
Vulnerability Details
This delay is not enforced when emergency actions take place.\
Impact
Users of RAAC may not be able to protect their assets in extreme conditions
Tools Used
manual review
Recommendations
Enforce the EMERGENCY_DELAY
function executeEmergencyAction(
address[] calldata targets,
uint256[] calldata values,
bytes[] calldata calldatas,
bytes32 predecessor,
bytes32 salt
) external payable onlyRole(EMERGENCY_ROLE) nonReentrant {
bytes32 id = hashOperationBatch(targets, values, calldatas, predecessor, salt);
if (!_emergencyActions[id]) revert EmergencyActionNotScheduled(id);
+ Operation storage op = _operations[id];
+ if(op.executed) revert OperationAlreadyExecuted(id);
+ if(block.timestamp < op.timestamp + EMERGENCY_DELAY) revert OperationNotReady(id);
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
TimelockController emergency actions bypass timelock by not enforcing EMERGENCY_DELAY, allowing immediate execution
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
TimelockController emergency actions bypass timelock by not enforcing EMERGENCY_DELAY, allowing immediate execution
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.